International data transfers — Handley Gill's blog — Handley Gill

LEGAL, REGULATORY & COMPLIANCE CONSULTANTS

Posts tagged International data transfers

#DPPC24

#DPPC24

If you couldn’t make it to the Information Commissioner's Office's (ICO's) Data Protection Practitioners' Conference 2024 (DPPC24), missed a session, were double-booked, couldn’t choose or want to delve deeper into the issues raised by any of the following sessions, Handley Gill's specialist data protection consultants highlight our related content.

On Hand August 2024

August 2024 edition of Handley Gill’s monthly digital newsletter, On Hand, with all the latest developments in data protection (UK, EU and global), cyber security, AI and machine learning, content regulation, online safety, open justice, access to information, reputation management, digital markets regulation, human rights & ESG. Presented in a readily digestible digital format, those who prefer the traditional newsletter format can export the newsletter to pdf.

Nicola Cain31 August 2024Data Protection, PERSONAL DATA, GDPR, General Data Protection Regulation, UK GDPR, UK GENERAL DATA PROTECTION REGULATION, DATA PROTECTION ACT 2018, PRIVACY AND ELECTRONIC COMMUNICATIONS REGULATIONS, PECR, ePrivacy Directive, Data Privacy, Cyber Security, Information Security, Cyber Resilience, CONTENT REGULATION, Content Moderation, Online Safety, Online Harms, eSafety, Reputation Management, Libel, Slander, Malicious Falsehood, Misuse of Private Information, Privacy, Article 8 European Convention on Human Rights, Confidential Information, Breach of Confidence, Freedom of Expression, Freedom of Speech, Free speech, Article 10 European Convention on Human Rights, Open Justice, Access to Information, Freedom of Information Act 2000, FOIA, Environmental Information Regulations 2004, EIRs, AI, Artificial Intelligence, Digital Markets, Digital Markets Regulation, Human Rights, Human Rights Act 1998, European Convention on Human Rights, ESG, Environmental Social & Governance, Environmental Social & Corporate Governance, Information Commissioner, ICO, Monetary Penalty Notice, International data transfers, Restricted International Data Transfers, Media Act 2024, Generative AI & Data Protection, Generative AI, Generative Artificial Intelligence, CMA, Competition & Markets Authority, Children's Code, Institute of Directors, IoD, Responsible Business, FCA, Financial Conduct Authority, Data Protection Commission, Leveson, Press Recognition Panel, Press Regulation, Media Regulation, Data Controller, Data Protection Fee, Online Safety Act 2023, Illegal Harms, Digital Markets Competition & Consumers Act, DMCCAComment

Best Before: 21 March 2024

Best Before: 21 March 2024

Handley Gill’s specialist data protection consultants highlight the forthcoming deadline for data controllers to review and, if necessary, update the safeguards relied upon as the lawful basis for conducting transfers of personal data from the UK to overseas where these currently rely upon the old European Commission standard contractual clauses / model clauses, including guidance on the actions that need to be taken.

Nicola Cain13 March 2024Data Protection, Personal Data, UK GDPR, Data Transfer, International data transfers, Restricted International Data Transfers, Article 46(2)(d) UK GDPR, BREXIT, Standard contractual clauses, SCCs, Modernised SCCs, Modernised Standard Contractual Clauses, Standard data protection clauses, Information Commissioner, Information Commissioner's Office, International Data Transfer Agreement, IDTA, International Data Transfer Addendum, EUROPEAN COMMISSION, Model clauses, European Commission Decision 2001/497/EC, European Commission Decision 2010/87/EU, DATA PROTECTION ACT 2018, Schedule 21 Part 3 para.7 Data Protection Act 2018, The Data Protection Privacy & Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419), International Data Transfer Risk Assessment, International Data Transfer Impact Assessment, Transfer Risk Assessment, Transfer Impact Assessment, Transfer Risk Assessment Tool, Appropriate Safeguards, Commission Implementing Decision (EU) 2021/914 of 4 June 2021Comment

PSNI Blues

PSNI Blues

Reflecting on the reprimand issued by the Information Commissioner against the Police Service of Northern Ireland (PSNI) for unlawfully transferring personal data processed for the law enforcement purposes under Part 3 Data Protection Act 2018 to the USA, Handley Gill’s consultants identify the elements of a compliance programme that would mitigate against such incidents and have produced a downloadable pdf illustrating each lawful basis for transferring personal data processed under Part 3 DPA 2018 overseas.

UK-US data bridge open for traffic

UK-US data bridge open for traffic

Handley Gill’s specialist data protection consultants consider the implications of The Data Protection (Adequacy) (United States of America) Regulations 2023 (SI 2023/1028) for data exporters subject to the UK GDPR conducting personal data transfers from the UK to the USA and what action should be taken.

Certify...certify me!

Certify...certify me!

Handley Gill’s specialist data protection consultants consider the options and certification requirements for US entities importing personal data from the EEA following the adoption of the European Commission’s adequacy decision in respect of the Trans-Atlantic EU-US Data Privacy Framework, providing a lawful basis for transferring personal data to the US under the GDPR.

Nicola Cain16 July 2023Data Protection, Data Privacy, PERSONAL DATA, GDPR, General Data Protection Regulation, GENERAL DATA PROTECTION REGULATION, Regulation (EU) 2016/679, Data Transfer, Restricted International Data Transfers, Restricted Data Transfer, International Transfers, International data transfers, US Data Transfers, EU-US DPF, EU-US Data Privacy Framework, SCCs, Modernised SCCs, Supplementary Measures, Transatlantic Data Privacy Framework, Trans-Atlantic Data Privacy Framework, Transfer Risk Assessment, Transfer Impact Assessment, Transfer Risk Assessment Tool, Data transfer agreement, TADPF, Trans-Atlantic EU-US Data Privacy Framework, Trans-Atlantic EU-US Data Privacy Framework Principles, DPF Principles, Privacy Shield, Privacy Shield Principles, EU-US DPF Certification, Privacy Shield Certification, Privacy Shield Self-Certification, Schrems II, Personal Data Transfer, Personal Data Export, Data exporter, Data Importer, Safe Harbor, Chapter 5 GDPR, Article 44 GDPR, Article 45 GDPR, Adequacy Decision, US Adequacy Decision, EUROPEAN COMMISSION, C(2023) 4745, TADPF Certification, Data Controller, Data Processor, Data ExporterComment

Freedom from the tyranny of supplementary measures

Freedom from the tyranny of supplementary measures

Handley Gill Limited’s specialist data protection consultants consider the impact of the European Commission’s adequacy decision in respect of the Trans-Atlantic EU-US Data Privacy Framework and the steps controllers and processors should take in relation to transfers of personal data from the EEA and UK to the USA.

Nicola Cain11 July 2023Data Protection, Personal Data, GDPR, General Data Protection Regulation, Regulation (EU) 2016/679, UK GDPR, UK GENERAL DATA PROTECTION REGULATION, Data Transfer, Personal Data Transfer, International Transfers, International data transfers, Safe Harbor, Privacy Shield, EU-US Data Privacy Framework, Transatlantic Data Privacy Framework, Trans-Atlantic Data Privacy Framework, Chapter 5 GDPR, Chapter 5 UK GDPR, Article 44 GDPR, Article 44 UK GDPR, Article 45 GDPR, Article 45 UK GDPR, Article 45(2) GDPR, Article 45(2) UK GDPR, Adequacy Decision, Schrems II, Adequacy Regulations, Section 17A Data Protection Act 2018, S.17A Data Protection Act 2018, S.17A DPA 2018, DPA 2018, Data Protection Act 2018, Standard contractual clauses, Standard data protection clauses, Supplementary Measures, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Transfer Risk Assessment, Transfer Impact Assessment, International Data Transfer Agreement, International Data Transfer Addendum, IDTA, SCCs, Modernised SCCs, Modernised Standard Contractual Clauses, Executive Order 14086, Qualifying State, TADPF, US Data Transfers, UK-US Data Bridge, Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, FISA 702, Prism, Upstream, EU-US DPF, Data Controller, Data Processor, Data exporter, Data ImporterComment

A bridge to nowhere?

A bridge to nowhere?

A commitment to establishing a UK-US data bridge, which would take the form of adequacy regulations being issued by the Secretary of State pursuant to section 17A Data Protection Act 2018, has been announced. Since this bridge is likely to be contingent on the European Commission issuing its own adequacy decision, and the draft has recently been rejected by the European Parliament, data exporters will be reliant on the Commission ramming through the roadblock or will find themselves stuck in traffic on the UK-US data flyover.

Nicola Cain18 June 2023Data Protection, Personal Data, GDPR, General Data Protection Regulation, UK GDPR, UK GENERAL DATA PROTECTION REGULATION, Privacy Shield, Schrems II, Transatlantic Data Privacy Framework, Adequacy Decision, EUROPEAN COMMISSION, Safe Harbor, Adequacy Regulations, UK Adequacy, Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities, EU-US Data Privacy Framework, UK-US Data Bridge, Chapter 5 GDPR, Chapter 5 UK GDPR, Article 45 GDPR, Article 45 UK GDPR, Article 46 GDPR, Article 46 UK GDPR, Data Protection Act 2018, Section 17A Data Protection Act 2018, s17A Data Protection Act 2018, Qualifying State, Executive Order 14086, TADPF, European Parliament, Committee on Civil Liberties, Committee on Civil Liberties Justice & Home Affairs, LIBE Committee, European Data Protection Board, EDPB, Opinion 5/2023, German-American Data Protection Day, DoJ, Department of Justice, Standard contractual clauses, Standard data protection clauses, Supplementary Measures, Transfer Risk Assessment, Transfer Impact Assessment, Derogation, Data Transfer, Data transfer agreement, US Data Transfers, International Transfers, International data transfers, International Data Transfer Risk Assessment, Data Controller, Data Processor, Data exporter, Data ImporterComment

On Hand May 2023

May 2023 edition of Handley Gill’s monthly digital newsletter, with all the latest developments in data protection (UK, EU and global), cyber security, AI and machine learning, content regulation, open justice, access to information, reputation management and digital markets regulation. Presented in a readily digestible digital format, those who prefer the traditional newsletter format can export the newsletter to pdf.

Nicola Cain1 June 2023Data Protection, Personal Data, GDPR, General Data Protection Regulation, UK GDPR, UK GENERAL DATA PROTECTION REGULATION, DATA PROTECTION ACT 2018, DPA 2018, Privacy and Electronic Communications (EC Directive) Regulations 2003, PECR, Information Commissioner, Data Protection Commission, CONTENT REGULATION, AI, Artificial Intelligence, AI Regulation, Machine Learning, Cyber Security, Cyber Resilience, Digital Markets Regulation, Reputation Management, Defamation, Privacy, Data Privacy, Libel, Slander, Malicious Falsehood, Misuse of Private Information, Breach of Confidence, Data Breach, Press Regulation, Broadcasting, Broadcasting Regulation, Ofcom, Digital Markets Competition & Consumers Bill, European Data Protection Board, EDPB, On Hand, Facial Recognition, Meta Platforms Ireland Limited, Ransomware, Data Protection & Digital Information (No.2) Bill, EU law, Retained EU Law, BREXIT, Brexit Freedoms Bill, Retained EU Law (Revocation and Reform) Bill, Cyber Attack, ESG, Environmental Social & Governance, Environmental, Environmental Social & Corporate Governance, Human Rights, China, Data Transfer, International data transfers, Restricted International Data Transfers, Broadcasting Code, Ofcom Broadcasting Code, Online Safety, Online Harms, eSafety, Open Justice, Reporting Restriction, CHILDREN, Children's Data, Misinformation, Disinformatoin, Disinformation, Illegal Harms, Child Sexual Abuse Regulation, Child Sexual Abuse Material, CSAMComment

Data Downgrade Down Under?

Data Downgrade Down Under?

Handley Gill Limited’s data protection consultants consider the implications of the 2021 Free Trade Agreement between the UK and Australia - taking effect on 31 May 2023 - for the protection of personal data and the ease of international transfers of personal data.

Nicola Cain31 May 2023BREXIT, UK, United Kingdom, Australia, Data Protection, Personal Data, Privacy, Data Privacy, GDPR, General Data Protection Regulation, UK GDPR, UK GENERAL DATA PROTECTION REGULATION, DATA PROTECTION ACT 2018, Section 17A Data Protection Act 2018, Adequacy Decision, Adequacy Regulations, New Zealand, European Commission, Secretary of State for Science Innovation & Technology, Marketing, Direct Marketing, Consent, Marketing Consent, Privacy Act, Privacy Act Review, Foreign Commonwealth and Development Office, Foreign Office, Department for Business and Trade, Department for Science Innovation and Technology, Department for Culture Media & Sport, Data Transfer, Restricted Data Transfer, Restricted International Data Transfers, International data transfers, Standard contractual clauses, Derogations, Data Controller, Data ProcessorComment

Risky business

New guidance issued by the Information Commissioner’s Office on the approach to assessing the risk of restricted ex-UK international data transfers may ease restrictions on transfers of personal data to the US and presents an opportunity to revisit ex-UK international data transfers that had previously been rejected as non-compliant.

Nicola Cain20 November 2022Data Protection, Personal Data, GDPR, General Data Protection Regulation, Regulation (EU) 2016/679, UK GDPR, UK GENERAL DATA PROTECTION REGULATION, Article 46 GDPR, Article 46 UK GDPR, Article 46(2)(c) UK GDPR, Article 46(2)(c) GDPR, DATA PROTECTION ACT 2018, DPA 2018, Data Transfer, US Data Transfers, Restricted Data Transfer, International data transfers, Restricted International Data Transfers, DPC22, Emma Bate, Information Commissioner's Office, Information Commissioner, ICO, EDPB, European Data Protection Board, International Data Transfer Risk Assessment, IDTRA, Transfer Risk Assessment, TRA, Data export, Personal Data Export, Data Exporter, Supplementary Measures, Data Controller, Data Processor, Data Importer, Schrems II, C-311/18, Transatlantic Data Privacy Framework, Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, Appropriate Safeguards, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, EDPB Recommendation 01/2020, International Data Transfer Agreement, International Data Transfer Addendum, IDTA, Standard Contractual Clauses, Modernised Standard Contractual Clauses, International Transfers, Privacy, Data Privacy, Human Rights, Transfer Risk Assessment Tool, Data Protection & Digital Information Bill, Adequacy Decision, UK Adequacy, Bill of Rights, Transfer Impact Assessment, TIAComment

GDP-ouR

GDP-ouR

In a speech at the Conservative Party Conference 2022, Michelle Donelan MP, the Secretary of State for Digital, Culture, Media and Sport, announced a bespoke British system of data protection, appearing to indicate a significant revision to the Data Protection and Digital Reform Bill currently undergoing Parliamentary consideration and a potential consolidation of the UK’s data protection law framework.

See ya SCCs, enter the IDTA

See ya SCCs, enter the IDTA

New data processing or other sharing agreements governed by the UK GDPR, which are entered into on or after Thursday 22 September 2022 and which involve the export of personal data from the UK to third countries and will rely on appropriate safeguards under Article 46 UK GDPR in the form of standard data protection clauses, can no longer rely on the standard contractual clauses (SCCs) or ‘model clauses’ issued by the European Commission and valid as at 31 December 2020 and must instead incorporate the International Data Transfer Agreement or modernised SCCs and International Data Transfer Addendum.

Nicola Cain20 September 2022Data Protection, Data Protection Act 2018, GDPR, UK GDPR, General Data Protection Regulation, UK General Data Protection Regulation, EUROPEAN COMMISSION, Information Commissioner, SchremsII, Schrems II, Standard contractual clauses, SCCs, Modernised Standard Contractual Clauses, Modernised SCCs, International data transfers, International Data Transfer Agreement, IDTA, International Data Transfer Addendum, International Data Transfer Risk Assessment, Article 46 UK GDPR, Article 46 GDPR, Model clauses, European Commission Decision 2001/497/EC, European Commission Decision 2010/87/EU, Brexit, UK-EU Withdrawal Agreement, Article 46(2)(c) UK GDPR, Article 46(2)(d) UK GDPR, Article 46(2)(d) GDPR, Standard data protection clauses, The Data Protection Privacy & Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419), Schedule 21 Part 3 para.7 Data Protection Act 2018, Data transfer agreement, Data exporter, Commission Implementing Decision (EU) 2021/914, Data Controller, Data Processor, Data Exporter, Data ImporterComment

Truss calls time for TikTok?

Truss calls time for TikTok?

As Conservative Party Leadership Contest candidate Liz Truss threatened to crack down on ByteDance, the Chinese owner of social media platform TikTok, during the BBC’s News Special ‘Our Next Prime Minister’ on 25 July 2022, we explore how she might seek to do that under the National Security and Investment Act 2021, through amendments to the Online Safety Bill and/or Data Protection and Digital Information Bill and through the actions of regulators Ofcom and the Information Commissioner.

Nicola Cain26 July 2022Conservative Party, Conservative Party Leader, Prime Minister, Liz Truss, Nadine Dorries, Secretary of State for Digital Culture Media and Sport, Foreign Secretary, TikTok, ByteDance, China, Rishi Sunak, Faisal Islam, BBC, National Security and Investment Act 2021, The National Security and Investment Act 2021 (Notifiable Acquisition) (Specification of Qualifying Entities) Regulations 2021, Defamation, Absolute Privilege, ONLINE SAFETY BILL, Data Protection and Digital Information Bill, Data Protection & Digital Information Bill, DPDI Bill, OFCOM, Information Commissioner, Information Commissioner's Office, Information Commission, ICO25, Fit and Proper, Video on Demand, VOD, Video Streaming Sites, Video Sharing Platforms, VSPs, International data transfers, Data Localisation, Prior Consultation, Statement of Strategic Priorities, Kemi Badenoch, CONTENT REGULATION, Platform Regulation, Technology Regulation, USER GENERATED CONTENT, UGCComment

Rishi’s capital gains?

Rishi’s capital gains?

Former Chancellor and Conservative Party leadership candidate Rishi Sunak’s promise that one of his top priorities will be the removal of the burdens of the GDPR need not be interpreted as a significant departure from the proposals for the Data Reform Bill set out in the Government’s response to the Data: A New Direction consultation, but it will rely on the European Commission adopting equality of approach and not seeking to punish the UK for Brexit.

U-turn?

U-turn?

Handley Gill summarises the Government's publication of its response to the ‘Data: A New Direction’ consultation, previewing the content of the forthcoming Data Reform Bill, which was proposed in ‘The Benefits of Brexit’ policy paper and formally announced in the Queen’s Speech 2022.

Nicola Cain22 June 2022Personal Data, UK GDPR, UK General Data Protection Regulation, Data Protection Act 2018, DPA 2018, PECR, Privacy and Electronic Communications Regulations, Data: A New Direction, Data Protection Reform, BREXIT, National Data Strategy, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Article 89 UK GDPR, Recital 159 UK GDPR, Recital 33 UK GDPR, Article 14 UK GDPR, Recital 62 UK GDPR, Disproportionate effort, Article 6(1)(f) UK GDPR, Political processing, Article 6 UK GDPR, Special Category Personal Data, Schedule 1 Data Protection Act 2018, Anonymity, Anonymous Data, Article 4(1) UK GDPR, the Council of Europe’s Convention 108, the Council of Europe Convention 108, Privacy management programme, Data Protection Officer, Article 37 UK GDPR, Data Protection Impact Assessment, DPIA, Article 35 UK GDPR, Article 30 UK GDPR, Records of Processing Activities, Article 36 UK GDPR, Prior Consultation, Article 12(5) UK GDPR, Manifestly Unfounded or Excessive, Article 45(2) UK GDPR, International data transfers, Adequacy Decision, s.17B(1) Data Protection Act 2018, Alternative Transfer Mechanisms, Article 46 UK GDPR, Law enforcement processing, Part 3 Data Protection Act 2018, Part 4 Data Protection Act 2018, Cookie Consent, Regulation 6 Privacy and Electronic Communications Regulations, Regulation 22(2) Privacy and Electronic Communications Regulations, Soft Opt-In, Marketing, Regulatory Enforcement, Information Commissioner, Statutory Duties, Statement of Strategic Priorities, Expert Panel, Technical Reports, Notice of Intent, Final Penalty Notice, AI, Artificial Intelligence, Article 22 UK GDPR, Automated Processing, Voluntary Undertakings, Data Breach Reporting, Article 33 UK GDPR, Article 15 UK GDPR, Data Subject Access Request, Reverse Transfers, Article 49 UK GDPR, Derogations, s.35 Digital Economy Act 2017, Data Sharing, Algorithm Transparency, Schedule 1 Part 2 Data Protection Act 2018, Substantial Public Interest, Biometric Data, Impact Assessments, Legitimate Interests Assessment, Biometrics Commissioner, Smart Data Schemes, Data Intermediaries, Article 46(2)(f) UK GDPR, Certification Regime, Surveillance Camera Commissioner, Schedule 16 paragraph 2(2) Data Protection Act 2018, Data Protection & Digital Information BillComment

European Court of Justice wields axe against Privacy Shield

European Court of Justice wields axe against Privacy Shield

Action needed by data controllers to assess the compliance of relevant international data transfers with GDPR following CJEU decision in Schrems invalidating Privacy Shield.

Data transfersNicola Cain15 November 2020Handley Gill LimitedData protection, Data privacy, Schrems, SchremsII, International data transfers, Privacy Shield, GDPR, Article 44, Standard contractual clausesComment